Privacy and Data Processing FAQs
General Background
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) came into effect. The GDPR set guidelines for the collection and processing of personal data from individuals who reside in the EU (for more information on the GDPR, please refer to our GDPR privacy page, here: https://www.advisa.com/gdpr).
Advisa’s Data Processing Agreement (DPA) was developed to meet the GDPR’s processing requirements, and to facilitate our clients’ compliance with requirements for contracts between entities involved in processing personal data.
Prior to July 2020, the two primary methods used by U.S. companies to implement adequate safeguards to import personal data from the European Economic Area (EEA) were the (1) European Commission’s Standard Contractual Clauses adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC (the “Old SCCs”), and (2) the EU-US Privacy Shield.
What happened in July 2020?
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”). The CJEU invalidated the Privacy Shield, finding that it did not provide adequate protection to EU citizens, while upholding the use of SCCs for transfers of personal data to third countries.
However, the CJEU ruled that a case-by-case analysis should be performed to determine whether the SCCs should be supplemented with even more safeguards in order to ensure that data subjects would be granted a level of protection in the third country that was essentially equivalent to the protections guaranteed under EU law.
The Schrems II decision was a leading factor in the European Commission recognizing the need to update the SCCs, and it set about doing so in the fall of 2020.
What is applicable now?
On June 4, 2021, the European Commission issued a new set of clauses (the “New SCCs”), which are designed to provide adequate safeguards for the transfer of personal data to a non-EEA country, and are in alignment with the GDPR. The New SCCs must be implemented as follows:
- Starting on September 27, 2021, the new SCCs must be executed for all new data transfers (i.e. new EU/EEA clients).
- There is a transition period, until December 27, 2022, where parties (i.e. existing EU/EEA clients) may continue to rely on Old SCCs that were executed prior to September 27, 2021.
- After December 27, 2022, all data transfers must be converted to the New SCCs.
If I am in the EU/EEA, can I safely transfer my data to the US?
Yes. The New SCCs are a valid mechanism for data transfer from the EU/EEA to the U.S.
Because Advisa is headquartered in the United States, we may have a need to transfer your Personal Information from non-U.S. Respondents and other Users to the United States. We may also have a need to transfer your Personal Information (regardless of where you live) to other countries or places in which we or our customers, distributors, or subcontractors, maintain offices or facilities. As part of the registration process for Advisa, you are asked for your consent to our Services Privacy Policy and agree to allow us to transfer your information outside your home country and to process it inside the United States or elsewhere for the purposes stated in the Services Privacy Policy.
We do not collect information from children. Advisa’s products are not designed to be administered to anyone under the age of 18, therefore we do not solicit or collect any type of information from anyone under the age of 18.
For further information about information collected from visitors to our website, please see our Website Privacy Policy here.
Does Advisa have a Data Protection Officer (DPO)?
Yes, Advisa does have an in-house DPO. Under the GDPR, a company is only required to appoint a DPO if its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. Advisa’s processing does not fall into these categories , however, we have determined a DPO to be beneficial to our clients.
How does Advisa protect the security of my Personal Information?
Advisa maintains appropriate technical and organizational security measures designed to ensure the security of Personal Information (as defined in the Services Privacy Policy) and to protect such Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. Advisa has a written data security policy that describes the policies and procedures by which we and our employees maintain data security.
However, despite all of our efforts, no security safeguards or standards are guaranteed to provide 100% security. Please protect your password information, unique email invitation and its contents. Also, use caution when logging into your account from a shared or public computer.
What are “subprocessors?”
Subprocessors are third parties engaged by Advisa that help us provide our products and services to you, and in doing so, have access to your data. Our “Technical Subprocessors” help us with our technology infrastructure (such as our web servers and hosting providers), and our “Service Subprocessors” are members of Advisa Partner network (and their subcontractors) that help us provide PI services to you. A complete list of our Technical Subprocessors may be found here: link here.
How can I change, update, or delete my Personal Information?
If you would like to have your user personal information changed, please contact your administrator us below.
If you have any questions or concerns, contact our DPO. If you are not the authorized person to sign for your company for these types of things, please forward to your legal department or Privacy Officer.
Contact Us
If you have any questions, comments or complaints about this Policy or the enforcement of this Policy, or would like to request access to your Personal Data,
Please contact us as follows:
ADVISA
211 West Main Street Suite 200
Carmel, IN 46032
ATTN: Privacy
Phone: 317-574-1550
DPO Email: lphillips@advisa.com
If you are in the EEA, you also have the right to complain to the local data protection authority (DPA) within the EEA. You can find the details of your local DPA here.